Cyber Regulation Lost In A Time Machine

Jettisoning Old Ideas about Securing Vital IT Networks

By Eric Chabrow (Gov Info Security)

The concept of time supported contrary views on the need for more stringent government regulations to protect the nation’s critical information infrastructure.

For Larry Clinton, chief executive of the industry lobbying group Internet Security Alliance, regulation is so last century and other factors such as economics play a more vital role in securing critical IT. James Lewis, one of the go-to guys on national IT security policy, says the industry-knows-best approach to IT security is a dated concept from an earlier era.

The critical IT infrastructure controls the flow of money, energy, food and other vital goods and services that keep society functioning, and both men testified at a Feb. 8 hearing held by the House Energy and Commerce Communications and Technology Subcommittee that addressed the federal government’s role in mitigating threats to the mostly privately owned communications networks.

Clinton contends federal regulation won’t foster greater protections because it’s largely reactive and fails to stay ahead of the ever-evolving threat. Worse yet, he says, bad regulation leads companies to spend limited resources on compliance rather than on protective measures. The biggest challenge to battle cyberthreats, he says, is economic, not technological:

“Trying to use 19th and 20th century models and federally regulating the Internet will not be effective. We need a much more contemporary and creative approach wherein the private sector is engaged, not controlled by our government partners.”

A common argument among those railing against too much government regulation is that 80 percent to 90 percent of the nation’s critical IT infrastructure is owned and operated by the private sector and that those businesses – and not a central government – know best how to protect their networks. After all, those industries have the knowledge, expertise and motivation (drive to increase profit) to keep these critical networks safe.

Lewis, director and senior fellow for technology and public policy program at the Washington think tank Center for Strategic and International Studies, agrees areas exist where the government should not interfere, but suggests that cybersecurity might not be one of them. Says Lewis:

“Cybersecurity is a national security problem that requires more government involvement, not less. We often hear that the private sector owns 80 or 90 percent of the infrastructure. This idea is a leftover from the dot.com era and not very helpful. A better way to think about cybersecurity is that the private sector owns 90 percent of the targets. We do not ask airlines to protect our airspace and no one says that because the private sector owns 80 percent of beachfront property that we do not need a navy. The same logic applies to cybersecurity.”

Both men are not diametrically opposed to one another; they both support a carrot-and-stick approach to cybersecurity, with Clinton recommending more carrot and Lewis more stick.

Says Clinton:

“The evidence is overwhelming that the largest barrier to securing cyberspace is economic. For industries where the economics of the industry are tied directly to a regulatory format, such as electric utilities, water, transportation, etc., the current regulatory structure can be used to motivate and fund needed cyber advancements. For industries where the economics are not inherent to a regulatory structure, we need to motivate by providing appropriate market incentives to spur greater security investment.”

Lewis says one reason incentives may not be sufficient is that many operators of the critical IT infrastructure don’t fully understand their systems. Ask many critical infrastructure companies if their control systems are connected to the Internet, Lewis says, most will say no. Examine their systems, he says, citing a Department of Homeland Security review, you’ll find Internet connections they’re unaware of. “Hackers can find these connections and use them for attacks.” he says, adding:

“Companies will not provide cybersecurity adequate for national security on a voluntary basis. A company may not know of the vulnerability, it may underestimate the threats it faces, and it may have no desire to spend money on security when this does not generate a return on investment. There is no disagreement that burdensome, prescriptive regulation should be avoided, but a reliance on voluntary or widely accepted business practices – what we do today – will damage national security.”

Lewis says the best alternative to prescriptive regulation and inadequate voluntary practices is a pragmatic, standards-based approach that sets goals and then lets companies decide how best to achieve them.

These views will be repeated in the coming months as Congress mulls various measures aimed at protecting the government’s and nation’s IT systems. Despite more attention being given to cybersecurity by lawmakers, the question whether Congress will do something about it remains a mystery. We’ll learn soon if Congress’ ability to enact a complex, cybersecurity law is lost in time.